Re: ImageMagick Is On Fire -- CVE-2016-3714

[Kurt Seifried <kseifried () redhat com>]

Without making a commercial pitch for the company I work ... I suspect one
aspect of other vendors not fixing this is that there is a very
simple/effective/verifiable workaround to prevent exploitation of this, and
even with vendor updates I would still suggest using the workaround, after
reading the MVG docs it seems to much like flash to ever be "safe" (also in
a web app world I can't imagine a normal use case for people uploading MVG
files).

On Thu, May 19, 2016 at 11:07 AM, Bob Friesenhahn <
bfriesen () simple dallas tx us> wrote:

> I find it very disturbing that there seems to be very little response from
> popular OS distributions to this issue.  Most do not appear to have issued
> any package updates to close the shell exploit.  Perhaps
> the opinion is that major new versions will be introduced as part of major
> distribution releases and it is ok for users to exposed to problems for two
> or three years.
>
> As an example Ubuntu 14.04.4 LTS (which is supposed to be getting security
> updates) has not provided ImageMagick or GraphicsMagick package updates in
> 3 years.
>
> Even NebBSD pkgsrc does not appear to have created a new version to
> address the "ImageTragick" issues.
>
> What is the point of security notices and advisories if there is no
> response from the community to provide updates to protect the majority of
> their users (who are using 'stable' releases) from the problems?
>
>
> Bob
> --
> Bob Friesenhahn
> bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com